Russia viewed the midterm elections as a “warm-up” for 2020. The U.S. military’s hacking division is treating it that way, too.
In the run-up to the presidential election, U.S. Cyber Command is surging election defense efforts that proved useful during the midterms, officials told reporters Tuesday -- including probing allies' computer networks to glean insights about Russian threats.
Cybercom is also working more closely with election defense teams at the Department of Homeland Security and the FBI, and with industry sectors that are targeted by Kremlin hackers and might have early warnings about threats facing the election, my colleague Ellen Nakashima reported from that briefing.
“Our goal is to have no interference in our elections,” said Maj. Gen. Tim Haugh, who heads the command's cyber national mission force. “Ideally, no foreign actor is going to target our electoral process.”
Cybercom is the only outfit among the myriad federal state and local government agencies tasked with protecting the 2020 election that is allowed to punch back against Russian hackers -- and it's using its new authorities granted during the Trump administration to be more aggressive in cyberspace.
The command took advantage of this in 2018. Cybercom observed Russian activity inside the government networks of Britain, Macedonia and Montenengro -- three main allies Kremlin hackers targeted -- at their request, Ellen reported. In the operation code-named Synthetic Theology, the U.S. shared the Russian malware found in those networks with American companies at risk of being targeted with the same malicious software, officials said. They used a new sharing platform called Virus Total.
Cybercom expects to do more of those operations in the lead up to 2020 but not necessarily with the same allies, the officials said.
And of course, Cybercom showed another way it can flex its muscle in the days leading up the midterm elections when it launched an operation to shut off Internet access to a notorious Russian troll farm.
The military's preparations for 2020 also include sharing information with DHS under a program launched by former defense secretary Jim Mattis and former Homeland Security secretary Kirstjen Nielsen. That operation continues despite the secretaries’ departure, Haugh said.
And Cybercom is also partnering with DHS to build closer ties with critical industry sectors under a program called Pathfinder, he said — beginning with the financial services and energy sectors.
The idea behind Pathfinder is that DHS clues Cybercom into the digital threats facing those industries -- and then Cybercom goes looking for information that will help them defend themselves. And that information, in turn, might be useful to election security efforts, he said.
“To compete in this space against the adversaries, malicious cyber actors, we've got to be out there every day and we have to be in contact with them,” Haugh said.
“In 2016 … we had to build new relationships,” he added. “We’ve now gained the benefit from that hard work in 2020. We’re starting from a set of foundational partnerships.”
|You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.|
|Not a regular subscriber?|
PINGED: Cyber Command leaders on Tuesday also pushed back on some of the reporting surrounding a Symantec report released Monday that described NSA hacking tools that made their way into the hands of Chinese hackers -- specifically, the idea that it lost control of its digital weapons.
According to Symantec, Beijing didn’t steal the hacking tools from NSA’s computers but basically reconstituted them after NSA used the tools against Chinese targets. The New York Times, which was first to report Symantec's findings, compared that to “a gunslinger who grabs an enemy’s rifle and starts blasting away,” and described it as “the latest evidence that the United States has lost control of key parts of its cybersecurity arsenal.”
CyberCom, which shares a leadership structure with NSA, didn’t confirm the Symantec report. But officials argued that adversary hackers stealing the tools you use against them is pretty common – and it’s something NSA and CyberCom take into account before using the tools.
Once the U.S. government or anyone else uses a previously secret hacking tool, it loses value pretty quickly, Maj. Gen. Karl H. Gingrich said. “Safeguarding [hacking tools] is a priority for us and they’re safeguarded,” he said. “But then they’re used in the environment and once they’re out there, they’re out there . . . It’s part of the risk assessment.”
Georgetown University cybersecurity professor Matt Blaze had a similar take on Twitter:
Exploits are, in effect, "secret weapons", with all that that implies: once deployed, they don't stay secret for long (especially when used against sophisticated targets). Once this happens, only sensible policy is to disclose/fix underlying vul. https://t.co/qWAIneoxXa— matt blaze (@mattblaze) May 7, 2019
As did former NSA hacker and Dragos founder Robert M. Lee:
My late night take: if we’re going to yell at the NSA for making an exploit that an adversary saw in an intrusion and learned from as an example of “losing control of weapons” then we should just argue that no one should make exploits ever because they can all be lost in that way— Robert M. Lee (@RobertMLee) May 7, 2019
The hacking tools described in the report are called zero days, which means no one else knows they exist or how to defend against them. That makes them extremely dangerous and extremely valuable for hackers.
The U.S government buys zero days from researchers who discover them, then puts them through a “vulnerabilities equities process” to decide whether they should alert companies to protect against them or hold onto them to hack allies with.
PATCHED: May is shaping up to be election security month on the Hill.
House Administration Committee Democrats plan to release an election security bill in the next few weeks and are seeking Republican co-sponsors, a committee spokesman told me. That will mark the first stand-alone election security bill in the House this Congress.
Goals for that bill include “to provide financial support for election infrastructure, foster accountability for election technology vendors … and prevent election hacking,” the spokesman said. The committee will hold an election security hearing with experts this morning.
In the Senate, sponsors of the Secure Elections Act already shared plans to reintroduce their bill in the next couple of weeks. That’s the bipartisan bill that came closest to passing last Congress — but prospects don’t look great for it passing this time around.
A spokesman for Sen. Ron Wyden (D-Ore.) says he also plans to reintroduce an election security bill from last Congress that had stricter requirements — including a mandate for paper ballots or backups.
Wyden’s bill, the Protecting American Votes and Elections Act, was popular among Senate Democrats including numerous 2020 presidential candidates, but didn’t win any Republican co-sponsors. And neither Senate bill reached a vote on the floor.
PWNED: The Baltimore City government, which has had no shortage of troubles, was hit with its second ransomware attack in just over a year Tuesday, the Baltimore Sun’s Ian Duncan and Colin Campbell reported.
“Critical systems, including 911 and 311, were not…affected, but…the majority of city servers were shut down,” the Sun reported. “The effects ranged from a City Council committee canceling a hearing on gun violence to water customers being unable to get billing questions answered.”
By late afternoon the ransomware was quarantined but the full damage of the attack was still not clear, a spokesman for Mayor Bernard C. “Jack” Young told the Sun.
The city hasn't seen evidence yet than hackers stole any personal data, Young said on Twitter:
At this time, we have seen no evidence that any personal data has left the system. Out of an abundance of precaution, the city has shut down the majority of its servers. We will provide updates as information becomes available.— Mayor Bernard C. Jack Young (@mayorbcyoung) May 7, 2019
Ransomware attacks – in which hackers lock up the victim’s computers and refuse to unlock them unless paid – have hit numerous cities in recent years, raising concerns about vital services being shut off. The Justice Department charged two Iranian hackers in 2018 with crimes including a ransomware attack against the city of Atlanta that cost the city an estimated $9 million to recover from.
Cybersecurity news from the public sector:
Cybersecurity news from the private sector: